Apriza Pinandita, Jakarta – Experts have called on the government to conduct a forensic audit into a breach of millions of Indonesian citizens' data that was allegedly stolen and shared illegally on a hacker forum, the latest in a series of personal data breaches.
The cybersecurity research collective Under the Breach on Thursday posted about the leak on its Twitter account @underthebreach, saying the hacker appeared to have stolen the data from the General Elections Commission's (KPU) website in 2013. The data set is claimed to be the final voter list (DPT) in the 2014 presidential election.
Data of around 2.3 million people, including sensitive information such as full names, Family Card numbers, citizenship identification numbers (NIK), home addresses and other personal information are listed in a PDF document.
"The perpetrator claims he will leak information of 200,000,000 additional citizens soon," Under the Breach wrote on its Twitter account.
Data breach cases are rising as Indonesia has yet to pass its personal data protection bill. Under the Breach has unveiled data leaks that recently afflicted e-commerce giant Tokopedia and airline giant Lion Air Group. The data of at least 91 million Tokopedia customers was illegally exposed, as well as the passport details of 35 million Lion Air Group passengers.
The Institute for Policy Research and Advocacy (ELSAM) has called on the Communications and Information Ministry to carry out an investigation into the data breach and optimize existing regulations to take action against data breaches and protect citizens' data.
ELSAM said the government needed to deliberate the personal data protection bill as soon as possible with the House of Representatives.
"The Communications and Information Ministry [must] soon conduct an investigation to get more data and information about the affected DPT, what types of data were leaked and what measures did the KPU take as an electronic system service provider. These efforts aim to prevent another personal data leak," ELSAM wrote in a statement.
Communication and Information System Security Research Center (CISSReC) chairman Pratama Persadha also urged the KPU to conduct a digital forensic audit to ensure the safety of its data system. It's a great danger to let confidential data be exposed in public without encryption, as it can be misused by irresponsible people, he added.
"The identification numbers of your Identity Card or Family Card could be used to register for a phone SIM card or even to apply for online lending," said Pratama.
"This is very concerning. The problem is that people can't do anything. The data should be protected by whoever possesses it, be it private or public institutions."
Pratama called on the government to play a greater role in ensuring the cybersecurity of its citizens, specifically mentioning the Communications and Information Ministry and the National Cyber and Encryption Agency (BSSN), among others, which "have yet to function optimally".
Although the KPU has said the DPT is open data, it does not mean that it should not be protected, according to ELSAM and CISSReC, as leaked personal data from the DPT could be used to commit a crime.
Communications and Information Minister Johnny G. Plate said on Friday that a joint force of the KPU, the ministry and the BSSN would be created to investigate the data breach, which is also expected to prevent a repeat.
"The mechanism of voter data submission, processing, storing and exposing must be secured," said Johnny.
In addition, he called on lawmakers at the House to deliberate the government-proposed personal data protection bill as soon as possible. Indonesia has yet to have its own version of the European Union's General Data Protection Regulation (GDPR) as deliberations have stalled since the government submitted the draft bill to the House in January.
In the meantime, Johnny added, the government was finalizing the establishment of a national data center that would integrate all kinds of government data with a multi-layered security system. The data center is also expected to solve the overlapping issue among public institutions.
KPU commissioner Viryan Azis said his office was currently checking the KPU's data server, pledging to probe the case thoroughly.
"We are conducting an internal check on our server and coordinating with relevant parties," said Viryan as quoted by kompas.com on Friday. Viryan presumed that the data exposed in the forum might be a soft copy of the 2014 election data, with metadata dated Nov. 5, 2013.
According to him, a soft copy is openly available to the public. "The soft copy [the PDF-formatted document], was issued based on the existing regulation for the public's interest," he said.
– Marchio Irfan Gorbiano contributed to the story.